snit/gemini
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
gemini/comp/gemini-yggdrasil.gmi
snit 6ac1a929c4 Guide for gemini+yggdrasil
2025-04-17 20:45:09 -05:00

77 lines
3.2 KiB
Text
Raw Permalink Blame History

# Hosting Gemini Capsules via Yggdrasil
Getting a gemini capsule running on Yggdrasil was harder than I would have thought. The main complexity came from the fact that gemini has mandatory TLS, combined with Yggdrasil predominantly being bare IPv6 addresses.
I suspect that this would have been no different than hosting a clearnet capsule had I been using Alfis to get an actual domain name, but I haven't set that up.
> NOTE: This guide assumes the use of gmid as the server. I have no clue how this works (or doesn't) on any other server.
## Prerequisites
This is NOT a guide to setting up Yggdrasil, nor for setting up gmid. I assume you already have a working Yggdrasil setup, as well as know how to run gmid for clearnet capsules.
## Self-signed Certificates
First of all, we have to generate a certificate. If you use a CA normally, you can't use their certificates; they don't usually issue certificates for IP addresses. This leaves us to issue our own, but gemini explicitly allows (and encourages) self-signed certificates, so you should probably use a self-signed one anyways.
I used openssl to generate the certificate we need. The gencert program included in gmid isn't meant to work with raw IP addresses, so it results in some sort of SANS error.
> NOTE: For full clarity, I didn't find much online about this, so I used ChatGPT to help me here. It worked for me, but I don't know if this is foolproof.
First we need to create a configuration file with the following content (replace 200:: with your Yggdrasil address):
```
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
CN = 200::
[req_ext]
subjectAltName = @alt_names
[alt_names]
IP.1 = 200::
[ v3_ca ]
subjectAltName = @alt_names
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment, keyCertSign
```
The file can be named whatever; we'll be passing it manually into openssl next:
```
openssl req -x509 -nodes \
-days 365 \
-keyout ipv6.key \
-out ipv6.pem \
-config $YOUR_CONFIG
-extensions v3_ca
```
Finally, move the resulting ipv6.key and ipv6.pem files to your preferred location. I put my gmid keys in /etc/ssl/gmid/
## gmid Configuration
On my clearnet capsule, I'd used a wildcard statement for the listen declaration, but apparently that doesn't fly here. Replace the wildcard with the same IP address as used in the server declaration part. Also, do not surround them with brackets.
Here's an example:
```
server "200::1" {
listen on 200:1 port 1965
root "/srv/gmi/yggsite"
cert "/etc/ssl/gmid/ipv6.pem"
key "/etc/ssl/gmid/ipv6.key"
}
```
=> https://github.com/omar-polo/gmid/issues/25 Relevant discussion on GitHub.
Start up gmid and you should be able to connect!
As an aside, even though you can't put brackets in gmid's configuration, amfora won't work unless you DO put brackets into the URL:
```
amfora gemini://[200::1]
```
I'm not sure if this is a problem with gmid or amfora, or how it works on other clients, but I figured I'd note it down here, because I spent an extra twenty minutes thinking this wasn't working just because I stopped using brackets on amfora after gmid told me to.
Reference in a new issue View git blame Copy permalink